Académique Documents
Professionnel Documents
Culture Documents
Contents
11
14
18
19
If the original request was made before the NetScaler appliance detected the DoS
attack, but the resent request was made after the appliance had come under attack.
When the clients think time exceeds four minutes, after which the cookie becomes
invalid.
Both of these scenarios are rare, but not impossible. In addition, the HTTP DoS protection
feature has the following limitations:
Under an attack, all POST requests are dropped, and an error page with a cookie is
sent.
Under an attack, all embedded objects without a cookie are dropped, and an error page
with a cookie is sent.
The HTTP DoS protection feature may affect other NetScaler features. Using DoS protection
for a particular content switching policy, however, creates additional overhead because the
policy engine must find the policy to be matched. There is some overhead for SSL requests
due to SSL decryption of the encrypted data. Because most attacks are not on a secure
network, though, the attack is less aggressive.
The memory of the NetScaler is not wasted on false SYN packets. Instead, memory is
used to serve legitimate clients.
Normal TCP communications with legitimate clients continue uninterrupted, even when
the Web site is under SYN flood attack.
In addition, because the NetScaler appliance allocates memory for HTTP connection state
only after it receives an HTTP request, it protects Web sites from idle connection attacks.
SYN DoS protection on your NetScaler appliance requires no external configuration. It is
enabled by default.
show ns feature
Example
1)
2)
.
.
.
10)
11)
12)
.
.
23)
24)
Done
>
Acronym
------WL
SP
Status
------
HTML Injection
NetScaler Push
ON
OFF
ON
ON
ON
HTMLInjection
ON
push
OFF
show ns feature
No parameters provided in this topic or the command has no parameters. View
description(s) in command reference Top
Example
To modify an existing policy, select the policy, and then click Open.
3. In the Create HTTP DoS Policy or Configure HTTP DoS Policy dialog box, specify values
for the parameters:
QDepth*qdepth
10
Example
To modify an existing service, select the service, and then click Open.
3. In the Create Server or Configure Server dialog box, specify values for the following
parameters, which correspond to the descriptions in "Parameters for configuring an
HTTP DoS service" as follows (asterisk indicates a required parameter):
Port*port
4. If the Enable Service check box is not selected, select it.
5. Select the Advanced tab, and select the Override Global check box to enable those
choices.
6. Specify values for the following parameters.
Max Clients*maxClient
Max Requests*maxReq
7. Click Create or OK, and then click Close. The service appears in the list of services.
12
set service
maxClient
Maximum number of simultaneous open connections to the service.
Maximum value: 4294967294
maxReq
Maximum number of requests that can be sent on a persistent connection to the service.
Note: Connection requests beyond this value are rejected.
Maximum value: 65535
View description(s) in command reference Top
13
show lb monitor
Example
14
show lb monitor
No parameters provided in this topic or the command has no parameters. View
description(s) in command reference Top
16
bind service
policyName
Name of the policy to bind to the service.
policyname
Name of the policy to bind to the service.
View description(s) in command reference Top
17
18
The average and normal values of the concurrent connections supported by your
servers.
The maximum output rate (responses/sec) that your server can generate.
The limits affecting bandwidth (such as external links, a particular router, or other
critical devices on the path that may suffer from a traffic surge).
To determine the characteristics of a HTTP DoS attack, you should consider the following
issues.
19
What is the rate of incoming fake requests that you have experienced in the past?
What types of requests have you received (complete posts, incomplete gets)?
Did previous attacks saturate your downstream links? If not, what was the bandwidth?
What types of source IP addresses and source ports did the HTTP requests have (e.g., IP
addresses from one subnet, constant IP, ports increasing by one).
What types of attacks do you expect in future? What type have you seen in the past?
Any or all information that can help you tune DoS attack protection.